Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Firewall, Intruders
- Thread starter Alabaster
- Start date
- Sort by reaction score
You could start the firewall that is included with OSX. Its located in the Sharing panel of the System Preferences.
Unless you have a router, having a built-in firewall of its own.
Wonder if having a static vs. a dynamic IP would help?
I got told by an IT not to run too many though as they will interfere with each other and sometimes even block each other from doing certain things. I'm not sure how true it is but I use the one in OS X + the one in my router.
spork183
macrumors 6502a
the more important question is "do they have physical access to your computer?" If yes, then a firewall won't do you a lot of good. Buy a dog...
Multiple firewalls get to be a pain if you have to open up ports. I'm running three. Luckily I don't have to alter anything often, but when I do, it is three different processes, in three different places, and the terminology for prompts is just different enough to make it interesting.
compuwar
macrumors 601
Don't load software from untrusted sources. Don't follow links in email. Don't render HTML in email. Don't leave the system unattended. Don't have it automatically log you on a boot. Don't use untrusted media.
valdore
macrumors 65816
I think Apple would have us all believe that one need not bother with these precautions when using macs.
Counterfit
macrumors G3
Pretty much all of them except the first one (although that, too, applies) are not usually platform-specific. Especially leaving it unattended and automatic login on boot. Once someone gains physical access to a system, it doesn't matter what kind of security you have, unless it's a retinal scan to open the 512-bit encrypted disk that everything is on.
Mitthrawnuruodo
Moderator emeritus
Yes, if they are running on the same machine... here we're talking about having one running on your computer and another on the router...
compuwar
macrumors 601
For brevity, I'll quote the checklists in the documents with checklists.
1. Don't load software from untrusted sources.
So, are you going to assert that every Mac-specific Trojan to date hasn't been loaded by a user seeking to add new software to their system?
Apple artical 108009 "Safety tips for handling email attachments and content downloads says:
2. Don't follow links in E-mail.
3. Don't render HTML in E-mail.
Are you asserting there's something in OSX that makes its users invulnerable to phishing schemes?
4. Don't leave the system unattended.
From http://images.apple.com/server/pdfs/Tiger_Security_Config.pdf page 134:
Action Items:
5. Don't have it automatically log you on at boot.
From http://images.apple.com/server/pdfs/Tiger_Security_Config.pdf page 138:
Action Item:
6. Don't use untrusted media.
From http://images.apple.com/server/pdfs/Tiger_Security_Config.pdf page 139:
Action Items:
Looks to me that Apple addresses everything except phishing, and my quick search only uncovered this:
Which only covers mail.app, not taking into account the many Web-based email services most people use at least one of.
Mitthrawnuruodo
Moderator emeritus
All good advice, really... except for point 5 which actually doesn't add any real security, since it's very easy to circumvent, and as long as you carefully follow point 4, it's not necessary at all... 😉
Ummmm,,, I humbly beg to differ. In my case, I have a Netgear router, which has both NAT + SPI firewall built-in. My understanding, and I could be mistaken, is that a h/w firewall trumps a s/w firewall.
In addition, I saw that when I was running the Apple s/w firewall while on the Netgear, that connections times were slow to much slower to even piss-poor connections [and, no that was because I was far away, I'm w/in 4' of the router at those times 😉].
Lastly, according to Pogue's book [😛], "if you have a router, you can turn off your Apple firewall". 😉
savar
macrumors 68000
There are lots of misperceptions about firewalls. Most firewalls are not that intelligent, they simply limit which ports can be used, and which direction they can be used in.
A simple example is a network administrator at a small company wants to put their whole network on the internet. So he buys business DSL and a router, and boom (to quote Steve Jobs), they are all online. But the admin can't always control what people do with their computer. Maybe joe schmo at the company wants to set up a web server, but sets it up wrong and now people from the outside have access to all of his files, and by extension, any files on the network that he has access too. The network admin prevents this situation by blocking all incoming requests on ports 80 and 8080 -- the default http and https ports. Now nobody on the network can web host on those ports, but they can still browse the web because outbound requests are still allowed.
Most firewalls don't do much more than this. There is very complex software out there that takes it to another level, analyzing network traffic and looking for suspicious events. That software is much more expensive, and only in use at large corporations and government organizations, etc.
So multiple firewalls can't really hurt, although it could be confusing/annoying if you need to reconfigure your network. Hardware firewalls and software firewalls can do all the same things, too. Actually, a "hardware" firewall is still just a microcontroller running some software program anyway, so the distinction really is whether the firewall is running on an individual workstation, or it's running on some peripheral device where it can provide coverage to the whole network.
One principle that most people miss is that the firewall is really only for the network admin. When certain nodes on a network have a trusted relationship with each other (say I have a share on the main server that is always mounted), then compromising my node compromises that server as well. The admin uses the firewall to protect people from themselves, as it were. In my example above, the same situation could have been avoided by Joe Schmo simply not opening up his HTTP port to begin with.
So on your personal computers, a firewall is redundant, because you already know (hopefully!) what software you're installing. The only real reasons to keep it turned on are 1) it usually doesn't hurt, 2) it protects you from yourself, 3) it protects you from spyware that might try to open a port on your computer. In practice, these turn out to be good enough reasons just to leave it turned on all the time.
Anyway, it always bugs me when IT types of people try to talk about things they don't know anything about. Most IT tech support people are *not* as savvy as you would think, but people think they have expertise and so they listen to anything a techie says.
mkrishnan
Moderator emeritus
It all depends on what you want. The two firewalls serve different purposes. If you think about a medieval castle, the hardware firewall is like the moat and outer walls. It regulates anything going on from outside the intranet. The software firewall is still important in some cases (although not usually at home, assuming your wireless gateway is appropriately secured) because, it, like the walls of the actual "inner castle" regulate flow of information inside the intranet.
So a typical corporate setup, for instance, would be to have a very restrictive external firewall and a slightly less restrictive internal firewall (which allows some ports that are needed for intranet apps). The same thing can, in principle, be good on a home intranet, particularly if there are vulnerable devices on it -- e.g. Windows computers.
compuwar
macrumors 601
The "Belt and suspenders" approach to security means having overlapping security controls is a good thing. I didn't add the screensaver password thing, which I should have. In an office environment, the most damaging intrusions often come from those who have physical access to the facility. That often goes for schools and fairly often for homes as well.
Now, I don't know about you, but I've been doing INFOSEC for about 24 years now, and both my direct experiences and research say that it's a very good and very valid control, even in physically controlled environments.
compuwar
macrumors 601
I suppose it matters what you mean by "most firewalls." Most commercial firewall products (that is actual firewalls, not other products with some subset of firewall features thrown in) do at least track state- which is necessary for "which direction they can be used in" for UDP (with TCP it's easy to do direction to start a connection, with UDP- not so much.) Most commercial firewalls also offer the ability to control which user can access which ports- though many places use it only for "inbound" connectivity. Many firewalls also have the ability to control the number of connections, and/or detect and limit floods, sweeps, etc.
So, if "most firewalls" mean "Network firewalls" there's more than simply address/port matching going on with the check for SYN flags by themselves thrown in.
If you mean firewalling features, then application firewalling like Apache's mod_security allow more granular content-type filtering, as do things like Squid and application layer gateways (just in case you meant "layer 5 aware firewalls.")
If you meant personal firewalls, then almost all of them do application aware filtering and permissioning.
I have some issues with some of your other risk assumptions, but I'll spare everyone the topic drift.
Now, ~74% of corporate firewalls are either misconfigured, or not configured to block attacks the firewall is capable of blocking. So while there's a bunch of interesting and sophisticated stuff you can do with most firewalls and/or free replacements, most places simply don't take advantage of those things.
That could be because simple port blocking takes care of somewhere around the 80th percentile of attacks that network layer firewalls are capable of taking care of with 2% of the effort and 1% of the problems you get when you do more aggressive/intelligent firewalling.
[Disclosure: I edit the Network Firewall FAQ and run Firewall-Wizards, so I'm assuredly pro-firewall.]
Mitthrawnuruodo
Moderator emeritus
Well, I do see the point of locking the screen (Keychain access -> preferences -> General and check Show status in Menu Bar) when leaving an otherwise secured Mac for a few seconds or even a minute, because the reboot-from-os-x-disc-and-change-password takes some time, but I don't bother with disabling automatic login...
compuwar
macrumors 601
You've made your own risk assesment. Both Apple (it would seem) and I tend to think it's a risk not worth taking for a secure machine- but then neither of us is trying to force the decision on you, we're simply pointing to the risk and the solution.